Deployment的podTemplate设置内核参数踩坑

背景 【Deployment的podTemplate设置内核参数踩坑】业务开发需要修改pod的内核参数,这些参数被认为是 unsafe 的参数,需要修改kubelet 的 --allowed-unsafe-sysctls 中才可以用,同时要把pod指定调度到这些kubelet被修改过的节点。
在忘记设置节点亲和性或者nodeSelector的情况下,直接修改deployment,会造成什么样的问题。下面通过实验复现一遍。
实验 自 k8s 1.12 起,sysctls 特性 beta 并默认开启,允许用户在 pod 的 securityContext 中设置内核参数

apiVersion: apps/v1 kind: Deployment metadata: name: nginx spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: securityContext: sysctls: - name: net.core.somaxconn value: "1024" containers: - name: nginx image: nginx

创建deplyemnt后,过五分钟后查看,集群创建了上千个pod
$ kubectl get pods NAMEREADYSTATUSRESTARTSAGE nginx-7fbbcfcc7d-4gmrg0/1SysctlForbidden021s nginx-7fbbcfcc7d-6dfpm0/1SysctlForbidden017s nginx-7fbbcfcc7d-6jkdn0/1SysctlForbidden014s nginx-7fbbcfcc7d-6mf6z0/1SysctlForbidden016s nginx-7fbbcfcc7d-6p2hs0/1SysctlForbidden021s nginx-7fbbcfcc7d-cd7590/1SysctlForbidden012s nginx-7fbbcfcc7d-ckqbl0/1SysctlForbidden016s nginx-7fbbcfcc7d-gtvq40/1SysctlForbidden016s nginx-7fbbcfcc7d-jbv2p0/1SysctlForbidden018s nginx-7fbbcfcc7d-jdh840/1SysctlForbidden018s nginx-7fbbcfcc7d-kmd9p0/1SysctlForbidden020s nginx-7fbbcfcc7d-lcp6k0/1SysctlForbidden015s nginx-7fbbcfcc7d-lsdlx0/1SysctlForbidden015s nginx-7fbbcfcc7d-mbd740/1SysctlForbidden019s nginx-7fbbcfcc7d-mbjnf0/1SysctlForbidden018s nginx-7fbbcfcc7d-mmbj70/1SysctlForbidden021s nginx-7fbbcfcc7d-n2ndn0/1SysctlForbidden021s nginx-7fbbcfcc7d-rhjmp0/1SysctlForbidden014s nginx-7fbbcfcc7d-rznhl0/1SysctlForbidden013s nginx-7fbbcfcc7d-sfrl90/1SysctlForbidden021s nginx-7fbbcfcc7d-t9bkk0/1SysctlForbidden019s nginx-7fbbcfcc7d-vd6x80/1SysctlForbidden017s nginx-7fbbcfcc7d-vt2jh0/1SysctlForbidden021s nginx-7fbbcfcc7d-w4l7n0/1SysctlForbidden020s nginx-7fbbcfcc7d-w5sgq0/1SysctlForbidden014s nginx-7fbbcfcc7d-wlf2c0/1SysctlForbidden013s nginx-7fbbcfcc7d-xh22t0/1SysctlForbidden021s

处理方法
kubectl scale deployment --replicas=0 nginx kubectl delete pods -l app=nginx

总结 为pod设置内核参数前先创建一个临时pod验证过再去修改deployment,避免创建大批量无效的pod。

    推荐阅读